8048194: GSSContext.acceptSecContext fails when a supported mech is not initiator preferred
Reviewed-by: mullan
--- a/jdk/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java Mon Jul 21 22:09:38 2014 +0800
+++ b/jdk/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java Mon Jul 21 22:10:37 2014 +0800
@@ -523,13 +523,6 @@
valid = false;
}
- // get the mechanism token
- byte[] mechToken = initToken.getMechToken();
- if (mechToken == null) {
- throw new GSSException(GSSException.FAILURE, -1,
- "mechToken is missing");
- }
-
/*
* Select the best match between the list of mechs
* that the initiator requested and the list that
@@ -545,7 +538,19 @@
internal_mech = mech_wanted;
// get the token for mechanism
- byte[] accept_token = GSS_acceptSecContext(mechToken);
+ byte[] accept_token;
+
+ if (mechList[0].equals(mech_wanted)) {
+ // get the mechanism token
+ byte[] mechToken = initToken.getMechToken();
+ if (mechToken == null) {
+ throw new GSSException(GSSException.FAILURE, -1,
+ "mechToken is missing");
+ }
+ accept_token = GSS_acceptSecContext(mechToken);
+ } else {
+ accept_token = null;
+ }
// verify MIC
if (!GSSUtil.useMSInterop() && valid) {
@@ -594,9 +599,27 @@
retVal = targToken.getEncoded();
} else if (state == STATE_IN_PROCESS) {
+ // read data
+ byte[] token = new byte[is.available()];
+ SpNegoToken.readFully(is, token);
+ if (DEBUG) {
+ System.out.println("SpNegoContext.acceptSecContext: " +
+ "receiving token = " +
+ SpNegoToken.getHexBytes(token));
+ }
+
+ // read the SPNEGO token
+ // token will be validated when parsing
+ NegTokenTarg inputToken = new NegTokenTarg(token);
+
+ if (DEBUG) {
+ System.out.println("SpNegoContext.acceptSecContext: " +
+ "received token of type = " +
+ SpNegoToken.getTokenName(inputToken.getType()));
+ }
+
// read the token
- byte[] client_token = new byte[is.available()];
- SpNegoToken.readFully(is, client_token);
+ byte[] client_token = inputToken.getResponseToken();
byte[] accept_token = GSS_acceptSecContext(client_token);
if (accept_token == null) {
valid = false;
@@ -1055,7 +1078,7 @@
* This is only valid on the acceptor side of the context.
* @return GSSCredentialSpi object for the delegated credential
* @exception GSSException
- * @see GSSContext#getDelegCredState
+ * @see GSSContext#getCredDelegState
*/
public final GSSCredentialSpi getDelegCred() throws GSSException {
if (state != STATE_IN_PROCESS && state != STATE_DONE)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/jgss/spnego/NotPreferredMech.java Mon Jul 21 22:10:37 2014 +0800
@@ -0,0 +1,100 @@
+/*
+ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8048194
+ * @run main/othervm NotPreferredMech
+ * @summary GSSContext.acceptSecContext fails when a supported mech is not initiator preferred
+ */
+
+import org.ietf.jgss.*;
+import sun.security.jgss.*;
+import sun.security.jgss.spnego.NegTokenInit;
+import sun.security.jgss.spnego.NegTokenTarg;
+import sun.security.util.BitArray;
+import sun.security.util.DerOutputStream;
+import sun.security.util.DerValue;
+import sun.security.util.ObjectIdentifier;
+
+import java.io.ByteArrayOutputStream;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Method;
+
+public class NotPreferredMech {
+
+ public static void main(String[] argv) throws Exception {
+
+ // Generates a NegTokenInit mechTypes field, with an
+ // unsupported mech as the preferred.
+ DerOutputStream mech = new DerOutputStream();
+ mech.write(new Oid("1.2.3.4").getDER());
+ mech.write(GSSUtil.GSS_KRB5_MECH_OID.getDER());
+ DerOutputStream mechTypeList = new DerOutputStream();
+ mechTypeList.write(DerValue.tag_Sequence, mech);
+
+ // Generates a NegTokenInit mechToken field for 1.2.3.4 mech
+ GSSHeader h1 = new GSSHeader(new ObjectIdentifier("1.2.3.4"), 1);
+ ByteArrayOutputStream bout = new ByteArrayOutputStream();
+ h1.encode(bout);
+ bout.write(new byte[1]);
+
+ // Generates the NegTokenInit token
+ Constructor<NegTokenInit> ctor = NegTokenInit.class.getDeclaredConstructor(
+ byte[].class, BitArray.class, byte[].class, byte[].class);
+ ctor.setAccessible(true);
+ NegTokenInit initToken = ctor.newInstance(
+ mechTypeList.toByteArray(),
+ new BitArray(0),
+ bout.toByteArray(),
+ null);
+ Method m = Class.forName("sun.security.jgss.spnego.SpNegoToken")
+ .getDeclaredMethod("getEncoded");
+ m.setAccessible(true);
+ byte[] spnegoToken = (byte[])m.invoke(initToken);
+
+ // and wraps it into a GSSToken
+ GSSHeader h = new GSSHeader(
+ new ObjectIdentifier(GSSUtil.GSS_SPNEGO_MECH_OID.toString()),
+ spnegoToken.length);
+ bout = new ByteArrayOutputStream();
+ h.encode(bout);
+ bout.write(spnegoToken);
+ byte[] token = bout.toByteArray();
+
+ // and feeds it to a GSS acceptor
+ GSSManager man = GSSManager.getInstance();
+ GSSContext ctxt = man.createContext((GSSCredential) null);
+ token = ctxt.acceptSecContext(token, 0, token.length);
+ NegTokenTarg targ = new NegTokenTarg(token);
+
+ // Make sure it's a GO-ON message
+ Method m2 = NegTokenTarg.class.getDeclaredMethod("getNegotiatedResult");
+ m2.setAccessible(true);
+ int negResult = (int)m2.invoke(targ);
+
+ if (negResult != 1 /* ACCEPT_INCOMPLETE */) {
+ throw new Exception("Not a continue");
+ }
+ }
+}